Holistic (Cyber)hygiene

Outdated technology, lack of oversight, poor planning; lawmakers have cited all of these factors and more as reasons for the recent onslaught of cyber breaches. In the wake of the OPM cyber attacks, government agencies are scrambling to shore up their cyber defenses. Federal CIO Tony Scott recently ordered a “30-day sprint” for government agencies to patch their network vulnerabilities and update their cyber defenses. But is new technology enough?

Bob Dix, head of Global Government Affairs and Public Policy at Juniper Networks, doesn’t think so. In partnership with Ran Corporation, Juniper Networks just released a new report examining new ways to look at cybersecurity. The report, titled “Economic of Defense: Modeling Security Investments Against Risk in a New Era of Escalating Cyber Threats,” details a novel approach some organizations are taking to mitigate the growing number of cyber threats.

In a recent interview with Chris Dorobek on the DorobekINSIDER program, Dix discussed how the public sector could apply this new approach to fundamentally alter cybersecurity as we know it.

Investing in Policy and People

Cyber threats are evolving and becoming more sophisticated, so it only makes sense that cyber defenders have to do the same. According to Dix, government agencies must take a more holistic approach to cybersecurity in order to mitigate the threats they are facing.

Dix argued that each agency’s leadership must look at cybersecurity not just as an IT issue, but also as an enterprise risk management issue. In the private sector, cybersecurity is “not just in the IT shop anymore, it is really becoming a management discussion, a board discussion, and a part of an overall enterprise risk management program for organizations.” He contended that it should be the same for government.

Holistic cybersecurity is about getting away from just having the latest technology and looking more broadly at having the right people and strategies. While there is no “one size fits all” approach, Dix said that it’s not enough, or even necessary, to buy every new tool. Instead, agencies should invest in training that teaches their employees good cyberhygiene.

Approximately 80 percent of exploitable vulnerabilities are a direct result of poor cyberhygiene. Implementing basic training and hygienic practices in the workplace would thus significantly improve cyber protection. “If we raise the bar in that particular space, then we flip the equation for the bad guys, and we make it more expensive and more difficult [for them],” Dix explained.

“It’s not just about investing in the technology, it’s also about investing in people,” Dix said. “Many of the failures that we find are not a result of the technology, but in fact enforcement of policies and processes in an environment that might have either prevented or reduced the impact of a particular event.” In addition to training their current staff, government agencies must also hire personnel with superior cyber skills. “We have to recruit and retain the talent that helps us in this effort to manage risk in cyberspace,” Dix said.

Getting a Seat at the Table

Agencies must develop better cyberdefense strategies on all fronts to deal with cyber attackers. In order to make these changes, conversations about cybersecurity must be elevated to the management level. Involving leadership at the board level gives the organization the flexibility to look beyond the latest technology, to all of the various elements that need to be considered at the investment level for cyberdefense.

Economics –particularly returns on investment –have to be part of the cybersecurity discussion. Leaders from each branch of the agency must examine their returns on investment in technology, training and recruiting. They should be asking, “Do we have sufficiently trained people in our environment, are we looking at the other elements of BYOD, the Internet of Things,” are we hiring the right people, and how do each of these elements fit into our cyberdefense strategy? Answering these questions requires input from everyone.

CEOs, CFOs and CIOs alike, “everybody needs a seat at the table,” Dix said. Enterprise risk management should not be up to just one leader, but all of them.

Recent cyber attacks have given the government plenty of impetus to change its approach to cybersecurity. “As defenders and protectors of information,” agencies must adjust their thinking to an outcome-based approach, spanning beyond technology into training and recruitment. Dix believes that a holistic approach will “help inform the decision-making process” to cyberdefense in a more effective and meaningful way.